A provider that offers free unprotected Wi-Fi should not be held responsible when their users use the service to infringe copyright. This is according to the Court of Justice of the European Union (CJEU) in the long-running German case of Tobias McFadden v Sony Music Entertainment Germany GmbH (C-484/14). The circumstances of the case were that a shop owner was providing free Wi-Fi via a connection named “freiheitstattangst.de”.

The CJEU found that the provider may be able to rely on the ‘mere conduit’ defence against liability in the E-commerce Directive. In contrast to an internet website host, a Wi-Fi-provider normally doesn’t store any information (such as copyright works) of a more permanent nature. For example, the downloading of a film is not normally continued for any length of time and, after having transmitted the information, the Wi-Fi-provider no longer has any control over that information. A Wi-Fi-provider is simply not in a position to take action to remove certain information or disable access to it at a later time.

In addition, the CJEU concluded that a national court could order a provider of free Wi-Fi to take steps to prevent the infringement through password protected accounts and obtaining user identity information.

In this decision the CJEU has struck a balance between the interests of copyright holders and other fundamental rights, especially in relation to the right of freedom to conduct a business and the right of others to information. As pointed out by the CJEU, when several fundamental rights protected under EU law are at stake, it is for the national authorities or courts concerned to ensure that a fair balance is struck between those rights.

One controversial aspect is that a court may issue an injunction requiring a Wi-Fi provider to password protect its network, but the CJEU has stated that password protection is an effective measure only if the user is required to provide identity details to the Wi-Fi provider so that the user cannot act anonymously. However, a provider may not try to obtain users’ identity details by mandatory means. That would interfere with users’ right to privacy (Art. 7 EU Charter of Fundamental Rights) and potentially the right to protect personal data (Art. 8 EU Charter of Fundamental Rights).